Post on 12-Jan-2016
transcript
1 Copyright © 2014 M. E. Kabay. All rights reserved.
CSH5 Chapter 67“Developing Classification Policies for
Data”Karthik Raman & Kevin Beets
Classification Policies
2 Copyright © 2014 M. E. Kabay. All rights reserved.
TOPICSIntroductionPurpose /
BenefitsRole in IALegal
RequirementsDesign &
ImplementationDC Solutions
3 Copyright © 2014 M. E. Kabay. All rights reserved.
IntroductionPopular literature / media refer to “TOP SECRET”
No clear understanding of issuesMisrepresentation as negative:
hiding information from stakeholders
Data classificationLabels info to support compliance
with data-protection policiesHistorically used by government,
military, government contractorsNow increasingly used to comply with
legal requirements on commercial organizationsFinancial / operational recordsPrivacy protection
4 Copyright © 2014 M. E. Kabay. All rights reserved.
Purpose / Benefits Information life cycle management (ILM)
Control of dataThroughout life cycle
CreationAccessModificationDestruction
Legal requirements increasing pressure in private sector; e.g.,HIPAAEuropean Privacy Directive
Benefits• Compliance with data standards,
legal requirements• Streamlined/secure data sharing• Efficient data storage / retrieval• Tracking data through ILM
5 Copyright © 2014 M. E. Kabay. All rights reserved.
Role in IAFederal Financial Institutions
Examinations Council (FFIEC) guidelinesEnsure consistent protection of dataFocus controls / efforts efficientlySystems must be classified at
highest level of information stored / transmitted
Supports risk analysisClarifies basis for access restrictionsSupports business continuity planning &
disaster recovery planningMay be mandatoryNecessary for data-loss prevention (DLP)
6 Copyright © 2014 M. E. Kabay. All rights reserved.
Legal Requirements in US
Privacy Act of 1974Including Computer Matching &
Privacy Protection Act of 1988Family Educational Rights & Privacy
Act (FERPA)Health Insurance Portability &
Accountability8 Act (HIPAA)Gramm-Leach-Bliley Act (GLBA)Sarbanes-Oxley Act (SOX)Federal rules of Civil Procedure
(FRCP)
7 Copyright © 2014 M. E. Kabay. All rights reserved.
Compliance Standards (1)US Federal Government Executive Order 12958
Further Amendment to Executive Order 12958… Classified National Security Information
ISO/IEC 27001:2005Guidelines & principles
for information security management
5 levelsPublic documentsInternal use onlyProprietaryHighly confidentialTop secret
8 Copyright © 2014 M. E. Kabay. All rights reserved.
Compliance Standards (2)
Defense contracting (DoD)Finances (Federal Financial Institutions
Examination Council – FFIEC)Life sciences (FDA)Media, telecom (FCC)
9 Copyright © 2014 M. E. Kabay. All rights reserved.
DesignObtain management approvalStudy BCP, IT assets, storage-managementPresent benefits DC to business unit (BU) headsSurvey users in BUs re data utilization / management &
preferences for organization & labeling
List revenue-generation& mission-critical usage of data for each BU;
Study information sharing
10 Copyright © 2014 M. E. Kabay. All rights reserved.
ImplementationObtain management approvalMap data-labeling to available
hardware, networks, systems, storage
Apply automation / DC tools as appropriate
Guide users through adoption & solicit feedback
Develop service-level agreements (SLAs) for data usage
Plan for DLPDevelop cost modelReport results to management
11 Copyright © 2014 M. E. Kabay. All rights reserved.
DC SolutionsPrimarily related to data storage
VirtualizationDeduplicationCheaper media
Features of DC softwarePolicy-based data-type
discoveryFile metadata classificationMultiple file system
managementCompliance & legal
considerationReport style
12 Copyright © 2014 M. E. Kabay. All rights reserved.
Product Roundup from SearchStorage
http
://se
arch
stor
age.
tech
targ
et.c
om/re
port
/Pro
duct
-Rou
ndup
-Dat
a-cl
assi
ficat
ion
13 Copyright © 2014 M. E. Kabay. All rights reserved.
Varonis
• http://www.varonis.com/products/data-classification-framework.html
Prof
esso
r Kab
ay h
as n
o fin
anci
al
inte
rest
in a
ny o
f the
pro
duct
s sh
own
as e
xam
ples
.
14 Copyright © 2014 M. E. Kabay. All rights reserved.
TITUShttp://www.titus.com/software/message-classification/
Specifically for email control
Professor Kabay has no financial interest in any of the products shown as examples.
15 Copyright © 2014 M. E. Kabay. All rights reserved.
Some Useful Videos
Data ClassificationPart 1 < http://www.youtube.com/watch?v=rfP56qua5pc >Part 2 < http://www.youtube.com/watch?v=1-Y2EvWMhD0 >
What is Network Data Loss Prevention (McAfee)< http://www.youtube.com/watch?v=9jLK5jybSnI >
TITUS Classification Solutions Overview< http://www.youtube.com/watch?v=dsuH_EA_NdY&feature=pyv >
McAfee Data Loss Prevention (DLP)< http://www.youtube.com/watch?v=TXYNNSaMxsI >
16 Copyright © 2014 M. E. Kabay. All rights reserved.
DISCUSSION